Istio on AKS

There are two common ways to run Istio on AKS:

  • Use the AKS Istio add-on
  • Install and manage open-source Istio yourself

A newer Application Networking on AKS capability (in preview) is also emerging as a more fully managed, Istio-based option. It is introduced at the end of this page.

AKS Istio Add-on

The AKS Istio add-on provides a Microsoft-managed way to deploy Istio components into an AKS cluster. Azure manages supported Istio revisions and integrates the add-on with AKS lifecycle operations.

This is usually the best starting point when you want Istio capabilities but do not want to fully own Istio installation and lifecycle management.

Benefits include:

  • Simplified installation through Azure CLI or ARM/Bicep
  • Managed Istio control plane lifecycle
  • Supported Istio revisions for AKS
  • Easier alignment with AKS upgrades and support boundaries

Considerations include:

  • Not every upstream Istio feature or version may be available immediately - for example Ambient Mode is not currently supported
  • Some features require additional configuration after enabling the add-on
  • You still need to understand Istio resources and traffic policy
  • You should validate add-on support in your target AKS region and Kubernetes version

Self-Managed Istio

Self-managed Istio gives you full control over installation, version, feature gates, and add-ons. This can be useful if you need a feature that is not supported by the AKS add-on, or if your organisation already has a standard Istio operating model.

The trade-off is that your platform team owns more of the lifecycle:

  • Installation method
  • Upgrades
  • Security patches
  • Compatibility testing
  • Operational troubleshooting

Application Networking on AKS (Preview)

Beyond the Istio add-on, Microsoft is building a more fully managed Application Networking on AKS experience, currently in preview. It is built on Istio and aims to provide application-level networking - service-to-service connectivity, security, and traffic management - as a managed capability, reducing the amount of Istio configuration and lifecycle work a platform team has to own directly.

Compared with the existing add-on, the goal of this offering is to push more of the mesh setup, defaults, and day-2 operations into the managed platform, so teams can adopt service mesh patterns with less hands-on Istio expertise.

Info

Application Networking on AKS is in preview. Preview features should not be used for production workloads, and capabilities, naming, and availability can change before general availability. Always check the current AKS documentation for what is supported, in which regions, and on which Kubernetes versions before planning around it.

The rest of this module and the lab use the generally available Istio add-on, which remains the recommended starting point today.

Common AKS Use Cases

Istio on AKS is often used for:

  • Canary deployments - gradually shift traffic between app versions.
  • Zero-trust service communication - enforce mTLS and authorization between workloads.
  • Ingress standardisation - use Istio ingress gateways for consistent traffic control.
  • Telemetry standardisation - produce consistent metrics and traces across services.
  • Resilience policy - apply retries, timeouts, and circuit breaking centrally.